Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use kube auth method to provision ACL token for the crd controller #995

Merged
merged 8 commits into from
Mar 2, 2022
Merged

Use kube auth method to provision ACL token for the crd controller #995

merged 8 commits into from
Mar 2, 2022

Conversation

kschoche
Copy link
Contributor

@kschoche kschoche commented Jan 25, 2022
edited
Loading

Changes proposed in this PR:

  • Adds a new auth method called release-name-consul-k8s-component-auth-method which will be used for components to issue ACL().Login() at startup.
  • Modify the acl-init init container to issue an ACL().Login() to fetch the component's ACL token on startup and store it locally, using the aforementioned new authMethod.
  • Modifies server-acl-init job to create the new auth method and also no longer provision Kube secrets for the controller.
  • Modifies the server-acl-init unit tests to support cases where we do not have a 1:1 mapping of policies:kube tokens.
  • Adds a new subcommand consul-logout which is used as a preStop hook for component pods to destroy the ACL token that was created through acl-init.
  • move the logic of Login() that resides in connect-init/command.go to common/ and use this in both acl-init and connect-init.
  • Applies the above features to the CRD controller deployment.
  • Adds bats tests coverage.
  • always deploy the connect-inject serviceaccount + role + rolebinding, this bhehaviour will be changed in a follow-on PR

How I've tested this PR:

  • Manual testing using the below steps
  • Update unit tests
  • Add unit tests

How I expect reviewers to test this PR:
Check out the associated branch and install using the following val.yaml file:

demo $ cat val.yaml
global:
  image: hashicorp/consul:1.11.3
  imageK8S: kyleschochenmaier/consul-k8s-acls
  tls:
    enabled: true
  acls:
    manageSystemACLs: true
controller:
  enabled: true
connectInject:
  enabled: true
ui:
  enabled: true
server:
  enabled: true
  replicas: 1
  • Install using helm: helm install kyle-consul ~/go/src/github.com/hashicorp/consul-k8s/charts/consul -f val.yaml
  • Once everything is online you can check logs : demo $ k logs -f deployment/kyle-consul-consul-controller -c controller-acl-init and look for the ACL login at the end.
  • kubectl get secrets will confirm that we've not created an (opaque) ACL token for the controller.
  • open the UI and navigate to the ACL tokens window, then delete the controller pod and see the old ACL token cleaned up and a new one provisioned when the pod starts.

Checklist:

  • Tests added
  • CHANGELOG entry added

    HashiCorp engineers only, community PRs should not add a changelog entry.
    Entries should use present tense (e.g. Add support for...)

@kschoche kschoche added area/acls Related to ACLs vault labels Jan 25, 2022
@kschoche kschoche self-assigned this Jan 25, 2022
@kschoche kschoche force-pushed the controller-acl-token-refactor branch from 2963083 to 8083339 Compare January 25, 2022 21:29
@kschoche kschoche changed the title Use kube auth method to provision ACL token for the controller Use kube auth method to provision ACL token for the crd controller Jan 25, 2022
@kschoche kschoche force-pushed the controller-acl-token-refactor branch 2 times, most recently from 5717075 to 4ca97a5 Compare January 28, 2022 00:26
@kschoche kschoche force-pushed the controller-acl-token-refactor branch from a28f01f to dc31e0a Compare February 7, 2022 20:50
@kschoche kschoche marked this pull request as ready for review February 8, 2022 14:49
@kschoche kschoche requested review from a team, ndhanushkodi and ishustava and removed request for a team February 9, 2022 15:43
@thisisnotashwin thisisnotashwin requested review from thisisnotashwin and removed request for ndhanushkodi February 16, 2022 20:32
ishustava
ishustava reviewed Feb 17, 2022
View reviewed changes
Copy link
Contributor

@ishustava ishustava left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great work on this Kyle!

I'm leaving my comments so far. I mostly reviewed everything but didn't look too deeply into server-acl-init tests. Will take another look once the comments are addressed.

charts/consul/templates/controller-deployment.yaml Outdated
image: {{ .Values.global.imageK8S }}
volumeMounts:
- mountPath: /consul/connect-inject
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: could we rename this volume's mount path since it's not connect injector?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good call out, I wonder what a good name is instead? /consul/data? We use /consul/data in other places?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It could be even something specific like /consul/token or /consul/login since that's the only thing we use it for

charts/consul/templates/controller-deployment.yaml Outdated
{{- if .Values.global.adminPartitions.enabled }}
-enable-partitions=true \
-partition={{ .Values.global.adminPartitions.name }} \
{{- end }}
-k8s-namespace={{ .Release.Namespace }}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

do we need this flag? since we're no longer reading the secret to get the ACL token, we can probably omit it?

charts/consul/templates/server-acl-init-job.yaml Outdated
@@ -238,6 +238,7 @@ spec:

{{- if .Values.controller.enabled }}
-create-controller-token=true \
-create-component-auth-method=true \
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Since we're hard-coding it to true, should we remove this flag and always create the auth method?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah I think that is fair, I'll remove the flag and always create the auth method, which is done inside server-acl-init meaning we already know ACLs are enabled :)

charts/consul/test/unit/controller-deployment.bats
local actual=$(echo $object |
yq '.volumeMounts[1] | any(contains("consul-ca-cert"))' | tee /dev/stderr)
[ "${actual}" = "true" ]
}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

great work on these tests!

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

+1

charts/consul/test/unit/controller-deployment.bats Show resolved Hide resolved
control-plane/subcommand/server-acl-init/connect_inject.go Outdated
func (c *Command) configureConnectInjectAuthMethod(consulClient *api.Client) error {

authMethodName := c.withPrefix("k8s-auth-method")
func (c *Command) configureConnectInjectAuthMethod(consulClient *api.Client, authMethodName string, createInjectBindingRule bool) error {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

createInjectBindingRule is not used

control-plane/subcommand/server-acl-init/command.go Outdated
func (c *Command) createACLPolicyRoleAndBindingRule(componentName string, rules string, dc string, isPrimary bool, globalToken bool,
authMethodName string, serviceAccountName string, client *api.Client) error {
// Create policy with the given rules.
policyName := fmt.Sprintf("%s-token", componentName)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

it'd be nice to rename these so that they don't reference token since we're not creating tokens anymore

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The reasoning I had for leaving this the way it is is that this is the policy for the token, and it is intended to be used to create the token, but I don't feel strongly one way or the other though about it.
Do you have any idea on alternative names? eg *-policy ?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

+1 to *-policy

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

+1 Policy makes the most sense

control-plane/subcommand/server-acl-init/command.go Outdated
if err != nil {
c.log.Error("unable to create role", err)
return err
}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think calls to update and create should be inside untilSucceeds like we do for other ACL objects

control-plane/subcommand/server-acl-init/command.go Outdated
Comment on lines 1091 to 1092
// stupid linter: uncomment this when we add a non-global token
// const globalTokenFalse = false
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm guessing this comment is not needed?

control-plane/subcommand/server-acl-init/command_ent_test.go Outdated
PolicyNames: []string{"controller-token"},
PolicyDCs: nil,
SecretNames: []string{resourcePrefix + "-controller-acl-token"},
SecretNames: nil,
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we need to add other assertions here to check that role/binding rule is created

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I created a test that validates the roles and bindings separately.
Maybe it makes sense to remove all of the other tests for each token as we go?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah I think we need to re-think how to test this going forward rather than trying to fit it into existing tests.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Here's what I did with the tests :

  • I've reverted the changes to server-acl-init/command_test and removed the table tests for the controller.
  • I've added a new test which specifically validates that the policies and binding rules get created and are correct, for each token that we convert to the new auth method workflow we'll add a table test entry to that test.

@kschoche kschoche changed the base branch from main to acls-refactor-base-branch February 22, 2022 21:35
thisisnotashwin
thisisnotashwin reviewed Feb 24, 2022
View reviewed changes
Copy link
Contributor

@thisisnotashwin thisisnotashwin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks so promising!! Great work Kyle. I have left some comments.

charts/consul/templates/controller-deployment.yaml Outdated Show resolved Hide resolved
charts/consul/templates/controller-deployment.yaml Outdated Show resolved Hide resolved
charts/consul/test/unit/server-acl-init-job.bats Outdated Show resolved Hide resolved
control-plane/helper/test/test_util.go Outdated
@@ -57,6 +58,79 @@ func GenerateServerCerts(t *testing.T) (string, string, string) {
return caFile.Name(), certFile.Name(), certKeyFile.Name()
}

// SetupK8sComponentAuthMethod create a k8s auth method, sample acl:write ACL policy, Role and BindingRule
// that allows the a client using `serviceAccount`'s JWT token to issue a consul login.
func SetupK8sComponentAuthMethod(t *testing.T, consulClient *api.Client, serviceAccountName, k8sServiceNS string) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

should the namespace be the K8S component namespace here? ie k8sServiceNS -> k8sConmponentNS

control-plane/subcommand/acl-init/command.go Outdated Show resolved Hide resolved
control-plane/subcommand/server-acl-init/command.go Outdated
func (c *Command) createACLPolicyRoleAndBindingRule(componentName string, rules string, dc string, isPrimary bool, globalToken bool,
authMethodName string, serviceAccountName string, client *api.Client) error {
// Create policy with the given rules.
policyName := fmt.Sprintf("%s-token", componentName)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

+1 to *-policy

control-plane/subcommand/server-acl-init/command.go Outdated Show resolved Hide resolved
control-plane/subcommand/server-acl-init/command.go Outdated Show resolved Hide resolved
control-plane/subcommand/server-acl-init/command.go Outdated
Comment on lines 898 to 1079
// This updates the binding rule any time the acl bootstrapping
// command is rerun, which is a bit of extra overhead, but is
// necessary to pick up any potential config changes.
if len(existingRules) > 0 {
// Find the policy that matches our name and description
// and that's the ID we need
for _, existingRule := range existingRules {
if existingRule.BindName == abr.BindName && existingRule.Description == abr.Description {
abr.ID = existingRule.ID
}
}

// This will only happen if there are existing policies
// for this auth method, but none that match the binding
// rule set up here in the bootstrap method.
if abr.ID == "" {
return errors.New("unable to find a matching ACL binding rule to update")
}

err = c.untilSucceeds(fmt.Sprintf("updating acl binding rule for %s", authMethodName),
func() error {
_, _, err := client.ACL().BindingRuleUpdate(abr, nil)
return err
})
} else {
// Otherwise create the binding rule
err = c.untilSucceeds(fmt.Sprintf("creating acl binding rule for %s", authMethodName),
func() error {
_, _, err := client.ACL().BindingRuleCreate(abr, nil)
return err
})

}
return err
}

// configureComponentAuthMethod sets up an AuthMethod that the Consul components will use to issue ACL logins with.
func (c *Command) configureComponentAuthMethod(consulClient *api.Client, authMethodName string) error {
// Create the auth method template. This requires calls to the kubernetes environment.
authMethodTmpl, err := c.createAuthMethodTmpl(authMethodName, false)
if err != nil {
return err
}
err = c.untilSucceeds(fmt.Sprintf("creating auth method %s", authMethodTmpl.Name),
func() error {
var err error
// `AuthMethodCreate` will also be able to update an existing
// AuthMethod based on the name provided. This means that any
// configuration changes will correctly update the AuthMethod.
_, _, err = consulClient.ACL().AuthMethodCreate(&authMethodTmpl, &api.WriteOptions{})
return err
})
return err
}

// createACLPolicyRoleAndBindingRule will create the ACL Policy for the component
// then create a set of ACLRole and ACLBindingRule which tie the component's serviceaccount
// to the authMethod, allowing the serviceaccount to later be allowed to issue a Consul Login.
func (c *Command) createACLPolicyRoleAndBindingRule(componentName string, rules string, dc string, isPrimary bool, globalToken bool,
authMethodName string, serviceAccountName string, client *api.Client) error {
// Create policy with the given rules.
policyName := fmt.Sprintf("%s-token", componentName)
if c.flagFederation && !isPrimary {
// If performing ACL replication, we must ensure policy names are
// globally unique so we append the datacenter name but only in secondary datacenters..
policyName += fmt.Sprintf("-%s", dc)
}
var datacenters []string
if !globalToken && dc != "" {
datacenters = append(datacenters, dc)
}
policyTmpl := api.ACLPolicy{
Name: policyName,
Description: fmt.Sprintf("%s Token Policy", policyName),
Rules: rules,
Datacenters: datacenters,
}
err := c.untilSucceeds(fmt.Sprintf("creating %s policy", policyTmpl.Name),
func() error {
return c.createOrUpdateACLPolicy(policyTmpl, client)
})
if err != nil {
return err
}

// Create an ACLRolePolicyLink list to attach to the ACLRole.
ap := &api.ACLRolePolicyLink{
Name: policyName,
}
apl := []*api.ACLRolePolicyLink{}
apl = append(apl, ap)

// Add the ACLRole and ACLBindingRule.
err = c.addRoleAndBindingRule(client, serviceAccountName, authMethodName, apl)
if err != nil {
return err
}
return err
}

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this can be moved to the file create_or_update or maybe a similar-ish file for readability.

control-plane/subcommand/server-acl-init/connect_inject.go Outdated Show resolved Hide resolved
@david-yu david-yu linked an issue Feb 25, 2022 that may be closed by this pull request
helm:Use consul login/auth method for consul-k8s component ACL tokens instead of kube secrets #653
Closed
@kschoche kschoche force-pushed the controller-acl-token-refactor branch from 3b46e4a to 49c6dbc Compare February 28, 2022 17:34
ishustava
ishustava approved these changes Mar 2, 2022
View reviewed changes
charts/consul/templates/controller-deployment.yaml Outdated Show resolved Hide resolved
charts/consul/test/unit/controller-deployment.bats Outdated Show resolved Hide resolved
charts/consul/test/unit/controller-deployment.bats Outdated
Comment on lines 688 to 696
@test "controller/Deployment: aclToken env is not set when ACLs are disabled" {
cd `chart_dir`
local actual=$(helm template \
-s templates/controller-deployment.yaml \
--set 'controller.enabled=true' \
. | tee /dev/stderr |
yq '[.spec.template.spec.containers[0].env[].name] | any(contains("CONSUL_HTTP_TOKEN"))' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this test is a duplicate of controller/Deployment: CONSUL_HTTP_TOKEN_FILE is not set when acls are disabled

control-plane/helper/test/test_util.go Outdated Show resolved Hide resolved
control-plane/subcommand/acl-init/command.go Outdated Show resolved Hide resolved
control-plane/subcommand/acl-init/command.go Outdated Show resolved Hide resolved
control-plane/subcommand/acl-init/command.go Outdated Show resolved Hide resolved
control-plane/subcommand/acl-init/command_test.go Outdated Show resolved Hide resolved
control-plane/subcommand/server-acl-init/create_or_update.go Outdated
// When secretID is provided, we will use that value for the created token and
// will skip writing it to a Kubernetes secret (because in this case we assume that
// this value already exists in some secrets storage).
func (c *Command) createACL(name, rules string, localToken bool, dc string, isPrimary bool, consulClient *api.Client, secretID string) error {
func (c *Command) createACL(name, rules string, localToken bool, dc string, isPrimary bool, createKubeSecret bool, consulClient *api.Client, secretID string) error {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

createKubeSecret is unused

control-plane/subcommand/server-acl-init/create_or_update.go Outdated
Comment on lines 230 to 238
// Check if the secret already exists, if so, we assume the ACL has already been
// created and return.
secretName := c.withPrefix(name + "-acl-token")
_, err = c.clientset.CoreV1().Secrets(c.flagK8sNamespace).Get(c.ctx, secretName, metav1.GetOptions{})
if err == nil {
c.log.Info(fmt.Sprintf("Secret %q already exists", secretName))
return nil
}

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It may be a strange diff but I think we already have this logic

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah you're right! This is unnecessary (duplicated right below) and was added by mistake when I did a large rebase, good catch!

thisisnotashwin
thisisnotashwin approved these changes Mar 2, 2022
View reviewed changes
Copy link
Contributor

@thisisnotashwin thisisnotashwin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Added a few suggestions but we can merge this after!

control-plane/subcommand/acl-init/command_test.go Outdated
Comment on lines 211 to 216
tokenBytes, err := ioutil.ReadFile(tokenFile)
require.NoError(t, err)
require.Equal(t, 36, len(tokenBytes))
// Validate the Token.
_, _, err = consulClient.ACL().TokenReadSelf(&api.QueryOptions{Token: string(tokenBytes)})
require.NoError(t, err)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is there a way to add an assertion that the component name is correctly set on the metadata of that token?

charts/consul/templates/controller-deployment.yaml Outdated
- "/bin/sh"
- "-ec"
- |
consul-k8s-control-plane consul-logout
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We might need to pass in the partition here too based on what we learned with login.

charts/consul/templates/controller-deployment.yaml Outdated Show resolved Hide resolved
kschoche and others added 2 commits March 2, 2022 10:09
@kschoche @ishustava
Apply suggestions from code review
65310ee 
Co-authored-by: Iryna Shustava <ishustava@users.noreply.github.com>
@kschoche
review comments
01210a9
@kschoche kschoche merged commit 23bde26 into acls-refactor-base-branch Mar 2, 2022
@kschoche kschoche deleted the controller-acl-token-refactor branch March 2, 2022 19:10
jmurret pushed a commit that referenced this pull request Mar 4, 2022
@kschoche @ishustava @jmurret
Use kube auth method to provision ACL token for the crd controller (#995
a618840 
)

* Use a Consul Kubernetes Auth Method to issue consul-login to mint ACL tokens and consul-logout to clean them up for the CRD controller.

Co-authored-by: Iryna Shustava <ishustava@users.noreply.github.com>
jmurret pushed a commit that referenced this pull request Mar 9, 2022
@kschoche @ishustava @jmurret
Use kube auth method to provision ACL token for the crd controller (#995
229f575 
)

* Use a Consul Kubernetes Auth Method to issue consul-login to mint ACL tokens and consul-logout to clean them up for the CRD controller.

Co-authored-by: Iryna Shustava <ishustava@users.noreply.github.com>
jmurret pushed a commit that referenced this pull request Mar 11, 2022
@kschoche @ishustava @jmurret
Use kube auth method to provision ACL token for the crd controller (#995
bb488b9 
)

* Use a Consul Kubernetes Auth Method to issue consul-login to mint ACL tokens and consul-logout to clean them up for the CRD controller.

Co-authored-by: Iryna Shustava <ishustava@users.noreply.github.com>
jmurret pushed a commit that referenced this pull request Mar 11, 2022
@kschoche @ishustava @jmurret
Use kube auth method to provision ACL token for the crd controller (#995
b87fa00 
)

* Use a Consul Kubernetes Auth Method to issue consul-login to mint ACL tokens and consul-logout to clean them up for the CRD controller.

Co-authored-by: Iryna Shustava <ishustava@users.noreply.github.com>
jmurret pushed a commit that referenced this pull request Mar 11, 2022
@kschoche @ishustava @jmurret
Use kube auth method to provision ACL token for the crd controller (#995
c96c709 
)

* Use a Consul Kubernetes Auth Method to issue consul-login to mint ACL tokens and consul-logout to clean them up for the CRD controller.

Co-authored-by: Iryna Shustava <ishustava@users.noreply.github.com>
jmurret pushed a commit that referenced this pull request Mar 11, 2022
@kschoche @ishustava @jmurret
Use kube auth method to provision ACL token for the crd controller (#995
fe0152f 
)

* Use a Consul Kubernetes Auth Method to issue consul-login to mint ACL tokens and consul-logout to clean them up for the CRD controller.

Co-authored-by: Iryna Shustava <ishustava@users.noreply.github.com>
jmurret pushed a commit that referenced this pull request Mar 15, 2022
@kschoche @ishustava @jmurret
Use kube auth method to provision ACL token for the crd controller (#995
c0dc098 
)

* Use a Consul Kubernetes Auth Method to issue consul-login to mint ACL tokens and consul-logout to clean them up for the CRD controller.

Co-authored-by: Iryna Shustava <ishustava@users.noreply.github.com>
jmurret pushed a commit that referenced this pull request Mar 16, 2022
@kschoche @ishustava @jmurret
Use kube auth method to provision ACL token for the crd controller (#995
cd10983 
)

* Use a Consul Kubernetes Auth Method to issue consul-login to mint ACL tokens and consul-logout to clean them up for the CRD controller.

Co-authored-by: Iryna Shustava <ishustava@users.noreply.github.com>
jmurret pushed a commit that referenced this pull request Mar 16, 2022
@kschoche @ishustava @jmurret
Use kube auth method to provision ACL token for the crd controller (#995
906d826 
)

* Use a Consul Kubernetes Auth Method to issue consul-login to mint ACL tokens and consul-logout to clean them up for the CRD controller.

Co-authored-by: Iryna Shustava <ishustava@users.noreply.github.com>
jmurret pushed a commit that referenced this pull request Mar 22, 2022
@kschoche @ishustava @jmurret
Use kube auth method to provision ACL token for the crd controller (#995
1f86a25 
)

* Use a Consul Kubernetes Auth Method to issue consul-login to mint ACL tokens and consul-logout to clean them up for the CRD controller.

Co-authored-by: Iryna Shustava <ishustava@users.noreply.github.com>
jmurret pushed a commit that referenced this pull request Mar 29, 2022
@kschoche @ishustava @jmurret
Use kube auth method to provision ACL token for the crd controller (#995
7a0d64e 
)

* Use a Consul Kubernetes Auth Method to issue consul-login to mint ACL tokens and consul-logout to clean them up for the CRD controller.

Co-authored-by: Iryna Shustava <ishustava@users.noreply.github.com>
jmurret added a commit that referenced this pull request Mar 31, 2022
@jmurret @kschoche
@ishustava @ndhanushkodi @lkysow
ACLs Refactor. Bootstrap Token and Snapshot Agent Config in Vault. Pr…
a713f85 
…e-configured bootstrap token as k8s secret. (#1128)

* Use kube auth method to provision ACL token for the crd controller (#995)

* Use a Consul Kubernetes Auth Method to issue consul-login to mint ACL tokens and consul-logout to clean them up for the CRD controller.

Co-authored-by: Iryna Shustava <ishustava@users.noreply.github.com>

* Support storing bootstrap token in Vault (#1061)

* Global auth method (#1075)

• Update server-acl-init to create authmethods in the primary datacenter when the job is run in a secondary datacenter during federation. This authmethod allows us to issue logins for global policies.
• Update the controller workflow in server-acl-init to use this global authmethod when run in a secondary DC.
• Update the mesh-gateway acceptance tests to create proxy defaults in the secondary DC to test above behavior works successfully.
• Updated logout to not pass in the partition flag as it is not required.
• Update server acl init tests to migrate from require := require.New(t) to require.xyz(t, ...) patterns.

* Refactor ConnectInject to use authmethods (#1076)

Refactor connect-injector to use the new auth-method workflow when ACLs are enabled so that Kubernetes secrets are not used.

* Sync token acl refactor (#1081)

• Refactor sync-catalog to use the new auth-method workflow when ACLs are enabled so that Kubernetes secrets are not used.
• Create a service account and rolebinding dedicated to the component authmethod so that it no longer piggybacks on the one used by the connect-inject authmethod.

* rename the controller flag (#1089)

* Refactor Consul API Gateway Controller to use AuthMethod workflow. (#1083)

* Refactor Consul API Gateway Controller to use AuthMethod workflow.

* Refactor snapshot agent to use new acl authmethod workflow (#1084)

* refactor snapshot agent to use new acl authmethod workflow.

* Refactor mesh-gateway ACL flow (#1085)

* Refactor mesh-gateway ACL flow

* Fix flakey server-acl-init tests with retries (#1095)

* Fix flakey server-acl-init tests with retries

* Adding retry for flakey server-acl-init enterprise test

* adding missing retry module in server-acl-init enterprise tests

* Update Binding Rule if it exists for the authmethod (#1094)

* Enable ACL Client Token (#1093)

* Refactor ConsulLogin() to return the acltoken in addition to theerror.

* Refactor createACLPolicyRoleAndBindingRule toappend datacenters for local tokens.  Refactor updateOrCreateBindingRule to create binding rule if there are binding rules but this one does not exist

* Rename -create-client-token flag to -client

* set additional sans for consul server load balancer so that client will be able to use the certificate to talk to the load balancers rather than just an individual server.

* Refactor server-acl-init command to create ACL Policy and Rule for client component so that client can call ConsulLogin and receive and ACL Token Call.

* Enable client to talk to Consul Server to perform consul login.

* Pass Auth Method to k8s al-init command.
* Configure Consul address to be the Consul Server Load Balancer.
* Configure CA Cert volume to be in memory rather than k8s secret when using vault.
* Set consul/login volume and CONSUL_HTTP_TOKEN_FILE for use during logout.
* Setup prestop command to perform consul logout.

* Configure client-daemonset so that we can utilize the externalServers setting to configure clients to be able to call consul login on a server that is on a different partition.

* Configuring partition-init to remove additional flags and use ones that already exist

* adding missing comma

* fix flakey tests by wrapping asserts in retries a la Iryna

* Adding -use-https flag to client-daemonset.yaml when externalServers are enabled

* Refactoring tests to cover client-acl-init changes

* addressing PR comments

* removing mounted tmpfs for consul-ca-cert when using vault and restoring datacenter logic because of breaking test.

* addressing PR comments and only appending datacenters to a policy when its a local token, not global tokens.

* completing additional dns names based on PR feedback

* Do not ca-cert volume when using vault.

* removing unused flagConsulCACert from partition-init command

* PR Feedback.  Removing unused envvars in acl-init container.  changing ConsulLogin to return secretID, error instead ok token, error.

* vault: add support for admin partitions (#1098)

* Refactor common.Login (#1101)

* convert function args to a struct
* add some missing tests
* move logic that is only relevant for connect out

* Use bootstrap token from vault to validate exec'ing into consul server (#1116)

Follow up on #1103

* Enable terminating gateways to use ACL Auth Method (#1102)

* Enable terminating gateway policy to be generated via Auth Method

* Filtering out failing portion of test for terminating gateway work

* PR feedback.Fixing tests.  Changing naming conventions for policy and roles for terminating gateways.

* Update control-plane/subcommand/server-acl-init/command.go

Co-authored-by: Iryna Shustava <ishustava@users.noreply.github.com>

* Update control-plane/subcommand/server-acl-init/command.go

Co-authored-by: Iryna Shustava <ishustava@users.noreply.github.com>

* Fixing enterprise tests

* Changing terminating gateway to pass acl-init a -component-name flag in the form of terminating-gateway/RELEASE-NAME-consul-terminating - <component type>/<consul fullname>-<name>

* fixing acceptance test to recognize that long lived tokens will not exist and we ahve to update the role.

* Correcting serviceAccount used on deployment

* Making all nameshavea-ingress-gateway

* Update charts/consul/templates/terminating-gateways-deployment.yaml

Co-authored-by: Iryna Shustava <ishustava@users.noreply.github.com>

* Update control-plane/subcommand/server-acl-init/command.go

Co-authored-by: Iryna Shustava <ishustava@users.noreply.github.com>

* Update control-plane/subcommand/server-acl-init/command.go

Co-authored-by: Iryna Shustava <ishustava@users.noreply.github.com>

* Update control-plane/subcommand/server-acl-init/command.go

Co-authored-by: Iryna Shustava <ishustava@users.noreply.github.com>

Co-authored-by: Iryna Shustava <ishustava@users.noreply.github.com>

* Enable snapshot agent configuration to be retrieved from vault (#1113)

* Enable ACL Client Token (#1093)

* Refactor ConsulLogin() to return the acltoken in addition to theerror.

* Refactor createACLPolicyRoleAndBindingRule toappend datacenters for local tokens.  Refactor updateOrCreateBindingRule to create binding rule if there are binding rules but this one does not exist

* Rename -create-client-token flag to -client

* set additional sans for consul server load balancer so that client will be able to use the certificate to talk to the load balancers rather than just an individual server.

* Refactor server-acl-init command to create ACL Policy and Rule for client component so that client can call ConsulLogin and receive and ACL Token Call.

* Enable client to talk to Consul Server to perform consul login.

* Pass Auth Method to k8s al-init command.
* Configure Consul address to be the Consul Server Load Balancer.
* Configure CA Cert volume to be in memory rather than k8s secret when using vault.
* Set consul/login volume and CONSUL_HTTP_TOKEN_FILE for use during logout.
* Setup prestop command to perform consul logout.

* Configure client-daemonset so that we can utilize the externalServers setting to configure clients to be able to call consul login on a server that is on a different partition.

* Configuring partition-init to remove additional flags and use ones that already exist

* adding missing comma

* fix flakey tests by wrapping asserts in retries a la Iryna

* Adding -use-https flag to client-daemonset.yaml when externalServers are enabled

* Refactoring tests to cover client-acl-init changes

* addressing PR comments

* removing mounted tmpfs for consul-ca-cert when using vault and restoring datacenter logic because of breaking test.

* addressing PR comments and only appending datacenters to a policy when its a local token, not global tokens.

* completing additional dns names based on PR feedback

* Do not ca-cert volume when using vault.

* removing unused flagConsulCACert from partition-init command

* PR Feedback.  Removing unused envvars in acl-init container.  changing ConsulLogin to return secretID, error instead ok token, error.

* Enable snapshot agent configuration to be retrieved from vault

* Adding CHANGELOG entry

* Changing the decoding of snapshot agent config in vault to platform agnostic

* Fixing the way we write the encoded vault secret out to a decoded json file

* Decoding vault secret using consul template function on the vault annotation. Able to remove the bash that decodes the file and changes the extension.

* Update CHANGELOG.md

Co-authored-by: Iryna Shustava <ishustava@users.noreply.github.com>

* Update charts/consul/values.yaml

Co-authored-by: Iryna Shustava <ishustava@users.noreply.github.com>

* Update charts/consul/values.yaml

Co-authored-by: Iryna Shustava <ishustava@users.noreply.github.com>

* Update charts/consul/values.yaml

Co-authored-by: Iryna Shustava <ishustava@users.noreply.github.com>

* PR Feedback - change client-snapshot-deployment to only have one vault role entry even when needing to set to vault roles

* PR Feedback - when both snapshot agent and ca roles are specified in vault, it should get the sa role.

* Simplifying conditional for vault role.

Co-authored-by: Iryna Shustava <ishustava@users.noreply.github.com>

* Ability to set initial_management token when using k8s secret store.  Snapshot agent acceptance tests (#1125)

* Enable ACL Client Token (#1093)

* Refactor ConsulLogin() to return the acltoken in addition to theerror.

* Refactor createACLPolicyRoleAndBindingRule toappend datacenters for local tokens.  Refactor updateOrCreateBindingRule to create binding rule if there are binding rules but this one does not exist

* Rename -create-client-token flag to -client

* set additional sans for consul server load balancer so that client will be able to use the certificate to talk to the load balancers rather than just an individual server.

* Refactor server-acl-init command to create ACL Policy and Rule for client component so that client can call ConsulLogin and receive and ACL Token Call.

* Enable client to talk to Consul Server to perform consul login.

* Pass Auth Method to k8s al-init command.
* Configure Consul address to be the Consul Server Load Balancer.
* Configure CA Cert volume to be in memory rather than k8s secret when using vault.
* Set consul/login volume and CONSUL_HTTP_TOKEN_FILE for use during logout.
* Setup prestop command to perform consul logout.

* Configure client-daemonset so that we can utilize the externalServers setting to configure clients to be able to call consul login on a server that is on a different partition.

* Configuring partition-init to remove additional flags and use ones that already exist

* adding missing comma

* fix flakey tests by wrapping asserts in retries a la Iryna

* Adding -use-https flag to client-daemonset.yaml when externalServers are enabled

* Refactoring tests to cover client-acl-init changes

* addressing PR comments

* removing mounted tmpfs for consul-ca-cert when using vault and restoring datacenter logic because of breaking test.

* addressing PR comments and only appending datacenters to a policy when its a local token, not global tokens.

* completing additional dns names based on PR feedback

* Do not ca-cert volume when using vault.

* removing unused flagConsulCACert from partition-init command

* PR Feedback.  Removing unused envvars in acl-init container.  changing ConsulLogin to return secretID, error instead ok token, error.

* Enable snapshot agent configuration to be retrieved from vault

* Adding CHANGELOG entry

* Changing the decoding of snapshot agent config in vault to platform agnostic

* Fixing the way we write the encoded vault secret out to a decoded json file

* Decoding vault secret using consul template function on the vault annotation. Able to remove the bash that decodes the file and changes the extension.

* Adding an acceptance test for snapshot agent.  It currently fails because of a bug with Consul where it does not recognize CONSUL_HTTP_TOKEN.  Will need to refactor test to bootstrap, then create vault secret with embedded acl token, then helm upgrade to add snapshot agent.  Then assert that a *.snap file is created.

* Adding acceptance test for snapshot agent on vault.

* renaming test and removing extra file

* Move vault test helpers into framework folder so we can use it more easily from other folders.

* Adding snapshot agent test for k8s secret

* Adding ability to set initial_management token when using k8s secrets. Also working acceptance test for snapshot agent on k8s secrets.

* Adding bats tests. Adding envvar for ACL_BOOTSTRAP_TOKEN. Removing volume and volume mounts for bootstrap token.

* Adding CHANGELOG entry for ability to pre-set bootstrap ACL token

* Fixing bats tests

* Update acceptance/framework/consul/helm_cluster.go

Co-authored-by: Thomas Eckert <teckert@hashicorp.com>

* Fixing broken unit tests

* Lowering snapshot interval from 1mto15s for tests

* Update acceptance/framework/consul/helm_cluster.go

Co-authored-by: Nitya Dhanushkodi <nitya@hashicorp.com>

* Update acceptance/framework/vault/helpers.go

Co-authored-by: Nitya Dhanushkodi <nitya@hashicorp.com>

* Update acceptance/tests/snapshot-agent/snapshot_agent_vault_test.go

Co-authored-by: Nitya Dhanushkodi <nitya@hashicorp.com>

* PR Feedback - clarify comments on Vault helper functions

* PR Feedback - clarify comments on Vault helper functions

* Modifying tests to not incidentally send an encoded file

* Removing logging token in acceptance test code.

Co-authored-by: Thomas Eckert <teckert@hashicorp.com>
Co-authored-by: Nitya Dhanushkodi <nitya@hashicorp.com>

* Enable ingress gateways to use ACL Auth Method (#1118)

* Enable ACL Client Token (#1093)

* Refactor ConsulLogin() to return the acltoken in addition to theerror.

* Refactor createACLPolicyRoleAndBindingRule toappend datacenters for local tokens.  Refactor updateOrCreateBindingRule to create binding rule if there are binding rules but this one does not exist

* Rename -create-client-token flag to -client

* set additional sans for consul server load balancer so that client will be able to use the certificate to talk to the load balancers rather than just an individual server.

* Refactor server-acl-init command to create ACL Policy and Rule for client component so that client can call ConsulLogin and receive and ACL Token Call.

* Enable client to talk to Consul Server to perform consul login.

* Pass Auth Method to k8s al-init command.
* Configure Consul address to be the Consul Server Load Balancer.
* Configure CA Cert volume to be in memory rather than k8s secret when using vault.
* Set consul/login volume and CONSUL_HTTP_TOKEN_FILE for use during logout.
* Setup prestop command to perform consul logout.

* Configure client-daemonset so that we can utilize the externalServers setting to configure clients to be able to call consul login on a server that is on a different partition.

* Configuring partition-init to remove additional flags and use ones that already exist

* adding missing comma

* fix flakey tests by wrapping asserts in retries a la Iryna

* Adding -use-https flag to client-daemonset.yaml when externalServers are enabled

* Refactoring tests to cover client-acl-init changes

* addressing PR comments

* removing mounted tmpfs for consul-ca-cert when using vault and restoring datacenter logic because of breaking test.

* addressing PR comments and only appending datacenters to a policy when its a local token, not global tokens.

* completing additional dns names based on PR feedback

* Do not ca-cert volume when using vault.

* removing unused flagConsulCACert from partition-init command

* PR Feedback.  Removing unused envvars in acl-init container.  changing ConsulLogin to return secretID, error instead ok token, error.

* Enable terminating gateway policy to be generated via Auth Method

* Filtering out failing portion of test for terminating gateway work

* PR feedback.Fixing tests.  Changing naming conventions for policy and roles for terminating gateways.

* Changing terminating gateway to pass acl-init a -component-name flag in the form of terminating-gateway/RELEASE-NAME-consul-terminating - <component type>/<consul fullname>-<name>

* Correcting serviceAccount used on deployment

* Making all nameshavea-ingress-gateway

* Enable ingress gateway policy to be generated via Auth Method

* Making all names have a -ingress-gateway suffix

* Removing duplicate test

* Update acceptance/tests/ingress-gateway/ingress_gateway_namespaces_test.go

Co-authored-by: Nitya Dhanushkodi <nitya@hashicorp.com>

Co-authored-by: Nitya Dhanushkodi <nitya@hashicorp.com>

* Removing the gateway type suffix from the naming conventions for terminating and ingress gateways (#1120)

* Enable ACL Client Token (#1093)

* Refactor ConsulLogin() to return the acltoken in addition to theerror.

* Refactor createACLPolicyRoleAndBindingRule toappend datacenters for local tokens.  Refactor updateOrCreateBindingRule to create binding rule if there are binding rules but this one does not exist

* Rename -create-client-token flag to -client

* set additional sans for consul server load balancer so that client will be able to use the certificate to talk to the load balancers rather than just an individual server.

* Refactor server-acl-init command to create ACL Policy and Rule for client component so that client can call ConsulLogin and receive and ACL Token Call.

* Enable client to talk to Consul Server to perform consul login.

* Pass Auth Method to k8s al-init command.
* Configure Consul address to be the Consul Server Load Balancer.
* Configure CA Cert volume to be in memory rather than k8s secret when using vault.
* Set consul/login volume and CONSUL_HTTP_TOKEN_FILE for use during logout.
* Setup prestop command to perform consul logout.

* Configure client-daemonset so that we can utilize the externalServers setting to configure clients to be able to call consul login on a server that is on a different partition.

* Configuring partition-init to remove additional flags and use ones that already exist

* adding missing comma

* fix flakey tests by wrapping asserts in retries a la Iryna

* Adding -use-https flag to client-daemonset.yaml when externalServers are enabled

* Refactoring tests to cover client-acl-init changes

* addressing PR comments

* removing mounted tmpfs for consul-ca-cert when using vault and restoring datacenter logic because of breaking test.

* addressing PR comments and only appending datacenters to a policy when its a local token, not global tokens.

* completing additional dns names based on PR feedback

* Do not ca-cert volume when using vault.

* removing unused flagConsulCACert from partition-init command

* PR Feedback.  Removing unused envvars in acl-init container.  changing ConsulLogin to return secretID, error instead ok token, error.

* Enable terminating gateway policy to be generated via Auth Method

* Filtering out failing portion of test for terminating gateway work

* PR feedback.Fixing tests.  Changing naming conventions for policy and roles for terminating gateways.

* Correcting serviceAccount used on deployment

* Making all nameshavea-ingress-gateway

* Enable ingress gateway policy to be generated via Auth Method

* Making all names have a -ingress-gateway suffix

* Removing duplicate test

* Update acceptance/tests/ingress-gateway/ingress_gateway_namespaces_test.go

Co-authored-by: Nitya Dhanushkodi <nitya@hashicorp.com>

* Removing the gateway type suffix from the naming conventions for terminating and ingress gateways

* Adding check for duplicate terminating gateways and ingress gateway names

* Update charts/consul/templates/ingress-gateways-deployment.yaml

Co-authored-by: Luke Kysow <1034429+lkysow@users.noreply.github.com>

* PR Feedback - adding the duplicate name found to the check failures for duplicate ingress or terminating gateway names

* Fixing rebase conflict

* Merge Conflict- duplicate test

* Adding a 10s sleep to flakey snapshot agent tests that were not finding a snapshot in time.

Co-authored-by: Nitya Dhanushkodi <nitya@hashicorp.com>
Co-authored-by: Luke Kysow <1034429+lkysow@users.noreply.github.com>

Co-authored-by: Kyle Schochenmaier <kschoche@gmail.com>
Co-authored-by: Iryna Shustava <ishustava@users.noreply.github.com>
Co-authored-by: Ashwin Venkatesh <ashwin@hashicorp.com>
Co-authored-by: Thomas Eckert <teckert@hashicorp.com>
Co-authored-by: Nitya Dhanushkodi <nitya@hashicorp.com>
Co-authored-by: Luke Kysow <1034429+lkysow@users.noreply.github.com>
jmurret added a commit that referenced this pull request Apr 4, 2022
@jmurret @kschoche
@ishustava @ndhanushkodi @lkysow
Change log entries for ACL refactor (#1119)
0b5b37d 
* Use kube auth method to provision ACL token for the crd controller (#995)

* Use a Consul Kubernetes Auth Method to issue consul-login to mint ACL tokens and consul-logout to clean them up for the CRD controller.

Co-authored-by: Iryna Shustava <ishustava@users.noreply.github.com>

* Support storing bootstrap token in Vault (#1061)

* Global auth method (#1075)

• Update server-acl-init to create authmethods in the primary datacenter when the job is run in a secondary datacenter during federation. This authmethod allows us to issue logins for global policies.
• Update the controller workflow in server-acl-init to use this global authmethod when run in a secondary DC.
• Update the mesh-gateway acceptance tests to create proxy defaults in the secondary DC to test above behavior works successfully.
• Updated logout to not pass in the partition flag as it is not required.
• Update server acl init tests to migrate from require := require.New(t) to require.xyz(t, ...) patterns.

* Refactor ConnectInject to use authmethods (#1076)

Refactor connect-injector to use the new auth-method workflow when ACLs are enabled so that Kubernetes secrets are not used.

* Sync token acl refactor (#1081)

• Refactor sync-catalog to use the new auth-method workflow when ACLs are enabled so that Kubernetes secrets are not used.
• Create a service account and rolebinding dedicated to the component authmethod so that it no longer piggybacks on the one used by the connect-inject authmethod.

* rename the controller flag (#1089)

* Refactor Consul API Gateway Controller to use AuthMethod workflow. (#1083)

* Refactor Consul API Gateway Controller to use AuthMethod workflow.

* Refactor snapshot agent to use new acl authmethod workflow (#1084)

* refactor snapshot agent to use new acl authmethod workflow.

* Refactor mesh-gateway ACL flow (#1085)

* Refactor mesh-gateway ACL flow

* Fix flakey server-acl-init tests with retries (#1095)

* Fix flakey server-acl-init tests with retries

* Adding retry for flakey server-acl-init enterprise test

* adding missing retry module in server-acl-init enterprise tests

* Update Binding Rule if it exists for the authmethod (#1094)

* Enable ACL Client Token (#1093)

* Refactor ConsulLogin() to return the acltoken in addition to theerror.

* Refactor createACLPolicyRoleAndBindingRule toappend datacenters for local tokens.  Refactor updateOrCreateBindingRule to create binding rule if there are binding rules but this one does not exist

* Rename -create-client-token flag to -client

* set additional sans for consul server load balancer so that client will be able to use the certificate to talk to the load balancers rather than just an individual server.

* Refactor server-acl-init command to create ACL Policy and Rule for client component so that client can call ConsulLogin and receive and ACL Token Call.

* Enable client to talk to Consul Server to perform consul login.

* Pass Auth Method to k8s al-init command.
* Configure Consul address to be the Consul Server Load Balancer.
* Configure CA Cert volume to be in memory rather than k8s secret when using vault.
* Set consul/login volume and CONSUL_HTTP_TOKEN_FILE for use during logout.
* Setup prestop command to perform consul logout.

* Configure client-daemonset so that we can utilize the externalServers setting to configure clients to be able to call consul login on a server that is on a different partition.

* Configuring partition-init to remove additional flags and use ones that already exist

* adding missing comma

* fix flakey tests by wrapping asserts in retries a la Iryna

* Adding -use-https flag to client-daemonset.yaml when externalServers are enabled

* Refactoring tests to cover client-acl-init changes

* addressing PR comments

* removing mounted tmpfs for consul-ca-cert when using vault and restoring datacenter logic because of breaking test.

* addressing PR comments and only appending datacenters to a policy when its a local token, not global tokens.

* completing additional dns names based on PR feedback

* Do not ca-cert volume when using vault.

* removing unused flagConsulCACert from partition-init command

* PR Feedback.  Removing unused envvars in acl-init container.  changing ConsulLogin to return secretID, error instead ok token, error.

* vault: add support for admin partitions (#1098)

* Refactor common.Login (#1101)

* convert function args to a struct
* add some missing tests
* move logic that is only relevant for connect out

* Use bootstrap token from vault to validate exec'ing into consul server (#1116)

Follow up on #1103

* Enable terminating gateways to use ACL Auth Method (#1102)

* Enable terminating gateway policy to be generated via Auth Method

* Filtering out failing portion of test for terminating gateway work

* PR feedback.Fixing tests.  Changing naming conventions for policy and roles for terminating gateways.

* Update control-plane/subcommand/server-acl-init/command.go

Co-authored-by: Iryna Shustava <ishustava@users.noreply.github.com>

* Update control-plane/subcommand/server-acl-init/command.go

Co-authored-by: Iryna Shustava <ishustava@users.noreply.github.com>

* Fixing enterprise tests

* Changing terminating gateway to pass acl-init a -component-name flag in the form of terminating-gateway/RELEASE-NAME-consul-terminating - <component type>/<consul fullname>-<name>

* fixing acceptance test to recognize that long lived tokens will not exist and we ahve to update the role.

* Correcting serviceAccount used on deployment

* Making all nameshavea-ingress-gateway

* Update charts/consul/templates/terminating-gateways-deployment.yaml

Co-authored-by: Iryna Shustava <ishustava@users.noreply.github.com>

* Update control-plane/subcommand/server-acl-init/command.go

Co-authored-by: Iryna Shustava <ishustava@users.noreply.github.com>

* Update control-plane/subcommand/server-acl-init/command.go

Co-authored-by: Iryna Shustava <ishustava@users.noreply.github.com>

* Update control-plane/subcommand/server-acl-init/command.go

Co-authored-by: Iryna Shustava <ishustava@users.noreply.github.com>

Co-authored-by: Iryna Shustava <ishustava@users.noreply.github.com>

* Enable snapshot agent configuration to be retrieved from vault (#1113)

* Enable ACL Client Token (#1093)

* Refactor ConsulLogin() to return the acltoken in addition to theerror.

* Refactor createACLPolicyRoleAndBindingRule toappend datacenters for local tokens.  Refactor updateOrCreateBindingRule to create binding rule if there are binding rules but this one does not exist

* Rename -create-client-token flag to -client

* set additional sans for consul server load balancer so that client will be able to use the certificate to talk to the load balancers rather than just an individual server.

* Refactor server-acl-init command to create ACL Policy and Rule for client component so that client can call ConsulLogin and receive and ACL Token Call.

* Enable client to talk to Consul Server to perform consul login.

* Pass Auth Method to k8s al-init command.
* Configure Consul address to be the Consul Server Load Balancer.
* Configure CA Cert volume to be in memory rather than k8s secret when using vault.
* Set consul/login volume and CONSUL_HTTP_TOKEN_FILE for use during logout.
* Setup prestop command to perform consul logout.

* Configure client-daemonset so that we can utilize the externalServers setting to configure clients to be able to call consul login on a server that is on a different partition.

* Configuring partition-init to remove additional flags and use ones that already exist

* adding missing comma

* fix flakey tests by wrapping asserts in retries a la Iryna

* Adding -use-https flag to client-daemonset.yaml when externalServers are enabled

* Refactoring tests to cover client-acl-init changes

* addressing PR comments

* removing mounted tmpfs for consul-ca-cert when using vault and restoring datacenter logic because of breaking test.

* addressing PR comments and only appending datacenters to a policy when its a local token, not global tokens.

* completing additional dns names based on PR feedback

* Do not ca-cert volume when using vault.

* removing unused flagConsulCACert from partition-init command

* PR Feedback.  Removing unused envvars in acl-init container.  changing ConsulLogin to return secretID, error instead ok token, error.

* Enable snapshot agent configuration to be retrieved from vault

* Adding CHANGELOG entry

* Changing the decoding of snapshot agent config in vault to platform agnostic

* Fixing the way we write the encoded vault secret out to a decoded json file

* Decoding vault secret using consul template function on the vault annotation. Able to remove the bash that decodes the file and changes the extension.

* Update CHANGELOG.md

Co-authored-by: Iryna Shustava <ishustava@users.noreply.github.com>

* Update charts/consul/values.yaml

Co-authored-by: Iryna Shustava <ishustava@users.noreply.github.com>

* Update charts/consul/values.yaml

Co-authored-by: Iryna Shustava <ishustava@users.noreply.github.com>

* Update charts/consul/values.yaml

Co-authored-by: Iryna Shustava <ishustava@users.noreply.github.com>

* PR Feedback - change client-snapshot-deployment to only have one vault role entry even when needing to set to vault roles

* PR Feedback - when both snapshot agent and ca roles are specified in vault, it should get the sa role.

* Simplifying conditional for vault role.

Co-authored-by: Iryna Shustava <ishustava@users.noreply.github.com>

* Ability to set initial_management token when using k8s secret store.  Snapshot agent acceptance tests (#1125)

* Enable ACL Client Token (#1093)

* Refactor ConsulLogin() to return the acltoken in addition to theerror.

* Refactor createACLPolicyRoleAndBindingRule toappend datacenters for local tokens.  Refactor updateOrCreateBindingRule to create binding rule if there are binding rules but this one does not exist

* Rename -create-client-token flag to -client

* set additional sans for consul server load balancer so that client will be able to use the certificate to talk to the load balancers rather than just an individual server.

* Refactor server-acl-init command to create ACL Policy and Rule for client component so that client can call ConsulLogin and receive and ACL Token Call.

* Enable client to talk to Consul Server to perform consul login.

* Pass Auth Method to k8s al-init command.
* Configure Consul address to be the Consul Server Load Balancer.
* Configure CA Cert volume to be in memory rather than k8s secret when using vault.
* Set consul/login volume and CONSUL_HTTP_TOKEN_FILE for use during logout.
* Setup prestop command to perform consul logout.

* Configure client-daemonset so that we can utilize the externalServers setting to configure clients to be able to call consul login on a server that is on a different partition.

* Configuring partition-init to remove additional flags and use ones that already exist

* adding missing comma

* fix flakey tests by wrapping asserts in retries a la Iryna

* Adding -use-https flag to client-daemonset.yaml when externalServers are enabled

* Refactoring tests to cover client-acl-init changes

* addressing PR comments

* removing mounted tmpfs for consul-ca-cert when using vault and restoring datacenter logic because of breaking test.

* addressing PR comments and only appending datacenters to a policy when its a local token, not global tokens.

* completing additional dns names based on PR feedback

* Do not ca-cert volume when using vault.

* removing unused flagConsulCACert from partition-init command

* PR Feedback.  Removing unused envvars in acl-init container.  changing ConsulLogin to return secretID, error instead ok token, error.

* Enable snapshot agent configuration to be retrieved from vault

* Adding CHANGELOG entry

* Changing the decoding of snapshot agent config in vault to platform agnostic

* Fixing the way we write the encoded vault secret out to a decoded json file

* Decoding vault secret using consul template function on the vault annotation. Able to remove the bash that decodes the file and changes the extension.

* Adding an acceptance test for snapshot agent.  It currently fails because of a bug with Consul where it does not recognize CONSUL_HTTP_TOKEN.  Will need to refactor test to bootstrap, then create vault secret with embedded acl token, then helm upgrade to add snapshot agent.  Then assert that a *.snap file is created.

* Adding acceptance test for snapshot agent on vault.

* renaming test and removing extra file

* Move vault test helpers into framework folder so we can use it more easily from other folders.

* Adding snapshot agent test for k8s secret

* Adding ability to set initial_management token when using k8s secrets. Also working acceptance test for snapshot agent on k8s secrets.

* Adding bats tests. Adding envvar for ACL_BOOTSTRAP_TOKEN. Removing volume and volume mounts for bootstrap token.

* Adding CHANGELOG entry for ability to pre-set bootstrap ACL token

* Fixing bats tests

* Update acceptance/framework/consul/helm_cluster.go

Co-authored-by: Thomas Eckert <teckert@hashicorp.com>

* Fixing broken unit tests

* Lowering snapshot interval from 1mto15s for tests

* Update acceptance/framework/consul/helm_cluster.go

Co-authored-by: Nitya Dhanushkodi <nitya@hashicorp.com>

* Update acceptance/framework/vault/helpers.go

Co-authored-by: Nitya Dhanushkodi <nitya@hashicorp.com>

* Update acceptance/tests/snapshot-agent/snapshot_agent_vault_test.go

Co-authored-by: Nitya Dhanushkodi <nitya@hashicorp.com>

* PR Feedback - clarify comments on Vault helper functions

* PR Feedback - clarify comments on Vault helper functions

* Modifying tests to not incidentally send an encoded file

* Removing logging token in acceptance test code.

Co-authored-by: Thomas Eckert <teckert@hashicorp.com>
Co-authored-by: Nitya Dhanushkodi <nitya@hashicorp.com>

* Enable ingress gateways to use ACL Auth Method (#1118)

* Enable ACL Client Token (#1093)

* Refactor ConsulLogin() to return the acltoken in addition to theerror.

* Refactor createACLPolicyRoleAndBindingRule toappend datacenters for local tokens.  Refactor updateOrCreateBindingRule to create binding rule if there are binding rules but this one does not exist

* Rename -create-client-token flag to -client

* set additional sans for consul server load balancer so that client will be able to use the certificate to talk to the load balancers rather than just an individual server.

* Refactor server-acl-init command to create ACL Policy and Rule for client component so that client can call ConsulLogin and receive and ACL Token Call.

* Enable client to talk to Consul Server to perform consul login.

* Pass Auth Method to k8s al-init command.
* Configure Consul address to be the Consul Server Load Balancer.
* Configure CA Cert volume to be in memory rather than k8s secret when using vault.
* Set consul/login volume and CONSUL_HTTP_TOKEN_FILE for use during logout.
* Setup prestop command to perform consul logout.

* Configure client-daemonset so that we can utilize the externalServers setting to configure clients to be able to call consul login on a server that is on a different partition.

* Configuring partition-init to remove additional flags and use ones that already exist

* adding missing comma

* fix flakey tests by wrapping asserts in retries a la Iryna

* Adding -use-https flag to client-daemonset.yaml when externalServers are enabled

* Refactoring tests to cover client-acl-init changes

* addressing PR comments

* removing mounted tmpfs for consul-ca-cert when using vault and restoring datacenter logic because of breaking test.

* addressing PR comments and only appending datacenters to a policy when its a local token, not global tokens.

* completing additional dns names based on PR feedback

* Do not ca-cert volume when using vault.

* removing unused flagConsulCACert from partition-init command

* PR Feedback.  Removing unused envvars in acl-init container.  changing ConsulLogin to return secretID, error instead ok token, error.

* Enable terminating gateway policy to be generated via Auth Method

* Filtering out failing portion of test for terminating gateway work

* PR feedback.Fixing tests.  Changing naming conventions for policy and roles for terminating gateways.

* Changing terminating gateway to pass acl-init a -component-name flag in the form of terminating-gateway/RELEASE-NAME-consul-terminating - <component type>/<consul fullname>-<name>

* Correcting serviceAccount used on deployment

* Making all nameshavea-ingress-gateway

* Enable ingress gateway policy to be generated via Auth Method

* Making all names have a -ingress-gateway suffix

* Removing duplicate test

* Update acceptance/tests/ingress-gateway/ingress_gateway_namespaces_test.go

Co-authored-by: Nitya Dhanushkodi <nitya@hashicorp.com>

Co-authored-by: Nitya Dhanushkodi <nitya@hashicorp.com>

* Removing the gateway type suffix from the naming conventions for terminating and ingress gateways (#1120)

* Enable ACL Client Token (#1093)

* Refactor ConsulLogin() to return the acltoken in addition to theerror.

* Refactor createACLPolicyRoleAndBindingRule toappend datacenters for local tokens.  Refactor updateOrCreateBindingRule to create binding rule if there are binding rules but this one does not exist

* Rename -create-client-token flag to -client

* set additional sans for consul server load balancer so that client will be able to use the certificate to talk to the load balancers rather than just an individual server.

* Refactor server-acl-init command to create ACL Policy and Rule for client component so that client can call ConsulLogin and receive and ACL Token Call.

* Enable client to talk to Consul Server to perform consul login.

* Pass Auth Method to k8s al-init command.
* Configure Consul address to be the Consul Server Load Balancer.
* Configure CA Cert volume to be in memory rather than k8s secret when using vault.
* Set consul/login volume and CONSUL_HTTP_TOKEN_FILE for use during logout.
* Setup prestop command to perform consul logout.

* Configure client-daemonset so that we can utilize the externalServers setting to configure clients to be able to call consul login on a server that is on a different partition.

* Configuring partition-init to remove additional flags and use ones that already exist

* adding missing comma

* fix flakey tests by wrapping asserts in retries a la Iryna

* Adding -use-https flag to client-daemonset.yaml when externalServers are enabled

* Refactoring tests to cover client-acl-init changes

* addressing PR comments

* removing mounted tmpfs for consul-ca-cert when using vault and restoring datacenter logic because of breaking test.

* addressing PR comments and only appending datacenters to a policy when its a local token, not global tokens.

* completing additional dns names based on PR feedback

* Do not ca-cert volume when using vault.

* removing unused flagConsulCACert from partition-init command

* PR Feedback.  Removing unused envvars in acl-init container.  changing ConsulLogin to return secretID, error instead ok token, error.

* Enable terminating gateway policy to be generated via Auth Method

* Filtering out failing portion of test for terminating gateway work

* PR feedback.Fixing tests.  Changing naming conventions for policy and roles for terminating gateways.

* Correcting serviceAccount used on deployment

* Making all nameshavea-ingress-gateway

* Enable ingress gateway policy to be generated via Auth Method

* Making all names have a -ingress-gateway suffix

* Removing duplicate test

* Update acceptance/tests/ingress-gateway/ingress_gateway_namespaces_test.go

Co-authored-by: Nitya Dhanushkodi <nitya@hashicorp.com>

* Removing the gateway type suffix from the naming conventions for terminating and ingress gateways

* Adding check for duplicate terminating gateways and ingress gateway names

* Update charts/consul/templates/ingress-gateways-deployment.yaml

Co-authored-by: Luke Kysow <1034429+lkysow@users.noreply.github.com>

* PR Feedback - adding the duplicate name found to the check failures for duplicate ingress or terminating gateway names

* Fixing rebase conflict

* Merge Conflict- duplicate test

* Adding a 10s sleep to flakey snapshot agent tests that were not finding a snapshot in time.

Co-authored-by: Nitya Dhanushkodi <nitya@hashicorp.com>
Co-authored-by: Luke Kysow <1034429+lkysow@users.noreply.github.com>

* Enable ACL Client Token (#1093)

* Refactor ConsulLogin() to return the acltoken in addition to theerror.

* Refactor createACLPolicyRoleAndBindingRule toappend datacenters for local tokens.  Refactor updateOrCreateBindingRule to create binding rule if there are binding rules but this one does not exist

* Rename -create-client-token flag to -client

* set additional sans for consul server load balancer so that client will be able to use the certificate to talk to the load balancers rather than just an individual server.

* Refactor server-acl-init command to create ACL Policy and Rule for client component so that client can call ConsulLogin and receive and ACL Token Call.

* Enable client to talk to Consul Server to perform consul login.

* Pass Auth Method to k8s al-init command.
* Configure Consul address to be the Consul Server Load Balancer.
* Configure CA Cert volume to be in memory rather than k8s secret when using vault.
* Set consul/login volume and CONSUL_HTTP_TOKEN_FILE for use during logout.
* Setup prestop command to perform consul logout.

* Configure client-daemonset so that we can utilize the externalServers setting to configure clients to be able to call consul login on a server that is on a different partition.

* Configuring partition-init to remove additional flags and use ones that already exist

* adding missing comma

* fix flakey tests by wrapping asserts in retries a la Iryna

* Adding -use-https flag to client-daemonset.yaml when externalServers are enabled

* Refactoring tests to cover client-acl-init changes

* addressing PR comments

* removing mounted tmpfs for consul-ca-cert when using vault and restoring datacenter logic because of breaking test.

* addressing PR comments and only appending datacenters to a policy when its a local token, not global tokens.

* completing additional dns names based on PR feedback

* Do not ca-cert volume when using vault.

* removing unused flagConsulCACert from partition-init command

* PR Feedback.  Removing unused envvars in acl-init container.  changing ConsulLogin to return secretID, error instead ok token, error.

* Updating changelog for ACLs work.

* Update CHANGELOG.md

Co-authored-by: Iryna Shustava <ishustava@users.noreply.github.com>

* Update CHANGELOG.md

Co-authored-by: Iryna Shustava <ishustava@users.noreply.github.com>

* Update CHANGELOG.md

Co-authored-by: Iryna Shustava <ishustava@users.noreply.github.com>

* Adding note about old acl token cleanup.  Adding note about configuring k8sAuthMethodHost in secondary datacenters when using mesh gateways in mesh federation.

* Update CHANGELOG.md

Co-authored-by: Iryna Shustava <ishustava@users.noreply.github.com>

Co-authored-by: Kyle Schochenmaier <kschoche@gmail.com>
Co-authored-by: Iryna Shustava <ishustava@users.noreply.github.com>
Co-authored-by: Ashwin Venkatesh <ashwin@hashicorp.com>
Co-authored-by: Thomas Eckert <teckert@hashicorp.com>
Co-authored-by: Nitya Dhanushkodi <nitya@hashicorp.com>
Co-authored-by: Luke Kysow <1034429+lkysow@users.noreply.github.com>
geobeau pushed a commit to geobeau/consul-k8s that referenced this pull request May 20, 2022
bump consul version to 1.10.0-rc2 (hashicorp#995)
12fbb7c
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@thisisnotashwin thisisnotashwin thisisnotashwin approved these changes

@ishustava ishustava ishustava approved these changes

Assignees

@kschoche kschoche

Labels
area/acls Related to ACLs vault
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

helm:Use consul login/auth method for consul-k8s component ACL tokens instead of kube secrets
3 participants
@kschoche @ishustava @thisisnotashwin